I don't see Incident data in Splunk App for ServiceNow . I see ChangeTicket data though. I see no errors in /app/splunk/var/log/splunk/splunk_ta_snow_main.log either. What could be the reason?
Logs show it is going to right URL and getting the data but I don't see any data written to indexers to query.
could it be checkpoint? I would delete the checkpoint file from splunk/var/libt/splunk/modinput and disable/enable the input again.
index=_internal snow error should return some errors otherwise.
could it be checkpoint? I would delete the checkpoint file from splunk/var/libt/splunk/modinput and disable/enable the input again.
index=_internal snow error should return some errors otherwise.
Ok so now it makes more sense. sounds like sys_updated_on is not returned by the API which could be permission. to find out more, You can run
https://.service-now.com/.do?JSONv2&sysparm_query=sys_created_on>=2016-01-01+00:00:00^ORDERBYsys_created_on&sysparm_record_count=50 mysinstance.service-now.com
per the troubleshooting doc
http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting
and see if those events are returned with that field included. If not, then SNOW admins needs to investigate why.
Problem resolved . For some reason it didn't create that checkpoint file when all others were created and it fell in that black hole. Disabling and enabling of the incident data type made it work. Thanks for the guidance.
where does this checkpoint file reside under the snow add-on? disable and enable doesn't work
You are on the right track. I see these errors in log. I am thinking its related to that. I don't see a checkpoint for that incident table created. I see for other ServiceNow tables though.
2/16/17
8:23:01.310 PM
2017-02-16 20:23:01,310 ERROR pid=18563 tid=Thread-17 file=thread_pool.py:_run:259 | Traceback (most recent call last):
File "/app/splunk/etc/apps/Splunk_TA_snow/bin/framework/thread_pool.py", line 257, in _run
func()
File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_job_factory.py", line 38, in __call__
sc.DEFAULT_RECORD_LIMIT))
File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 142, in collect_data
self._write_checkpoint(table, timefield, jobjs, refreshed)
File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 278, in _write_checkpoint
if obj[timefield] == latest_timestamp]
KeyError: u'sys_updated_on'
Hello ,
How was the issue resolved .Can you please provide the steps